Categories

Meta

iOS 7 security flaws uncovered as new iPhones released

Comments Off on iOS 7 security flaws uncovered as new iPhones releasedSummary

Vulnerability: The iOS 7 lock screen. Photo: James W. ManningSecurity flaws have been uncovered in Apple’s new iOS 7 software, just a day after its release.

A thief who steals an iPhone or iPad running the new software would be able to exploit the flaw and disable the Find my iPhone feature, used by owners and police to track down stolen Apple devices, even if the thief does not have the password for the device.

In iOS 7, a new Control Centre feature houses all of the basic settings for the iPhone and it can be accessed from swiping up on any screen, including from the lock screen visible before you type in your password. Apple’s sassy personal digital assistant, Siri, is also available from the lock screen by default in iOS 7.

A user can use the Control Centre or instruct Siri to put the device into aeroplane mode, which cuts off all mobile data, reception, Wi-Fi and GPS connections, rendering the Find my iPhone feature useless.

Apple users who have upgraded to iOS 7 can protect themselves from the potential security vulnerability by turning off access to Siri and Control Centre from the lock screen under their device’s settings.

The company has not commented publicly on the security flaw and did not respond to requests for comment.

Forbes reported that Jose Rodriguez, of Spain’s Canary Islands, had uncovered another iOS 7 security vulnerability that again takes advantage of Control Centre access from the lock screen.

Under this exploit, users without the device’s password are able to bypass the lock screen in seconds to access photos, email, Twitter and other applications.

As Rodriguez demonstrates in a YouTube video, users can swipe up on the lock screen to access the centre and then open the alarm clock. Users can then hold down the device’s sleep button, which brings up the option to turn it off. But if a user taps cancel and then double-clicks the phone’s home button, they will be taken to the multi-tasking screen, which allows access to the camera and photos and the ability to share those photos from the device-owner’s accounts.

Essentially, anyone who picks up the phone would be able to hijack the iPhone or iPad owner’s email, Twitter, Facebook and Flickr accounts.

An Apple spokeswoman said the company was preparing a fix that it would deliver as a future update to iOS 7. “Apple takes user security very seriously,” she said.

Apple devices on to which the new iOS 7 software has been downloaded are vulnerable to both security flaws, as are the new iPhone 5s and 5c, which were released in Australia, the United States and other countries on Friday.

Meanwhile, security researchers have questioned Apple’s claims that its iMessage service is secured using strong encryption after uncovering what they say is a flaw that enables messages to be spied on.

In April, Apple’s iMessage service attracted attention after a document showed the US Drug Enforcement Agency was complaining internally about not being able to snoop on communications sent using the service. Apple has consistently said the messages are exchanged using “secure end-to-end encryption”, meaning it can’t hand them over to authorities. Even after the technology giant was linked to the US National Security Agency’s PRISM surveillance program in June, it put out a statement reiterating that iMessage conversations “are protected by end-to-end encryption so no one but the sender and receiver can see or read them. Apple cannot decrypt that data.”

However, it seems the service is not as secure as Apple would like to you to believe. Two researchers at security firm Quarkslab claim they have been studying the protocol used by iMessage and that “Apple can technically read your iMessages whenever they want”. The researchers, who are due to present their findings at the HITB Security Conference in Asia in October, have apparently found a way to circumvent the encryption, using a so-called “man-in-the-middle” attack, which usually involves a hacker covertly bypassing the encryption by using a fake security certificate.

The fact that this may be possible with iMessage is not evidence that Apple has been reading people’s messages, but it does mean the company’s encryption is vulnerable to being exploited by a sophisticated hacker group or spy agency. One of the Quarkslab researchers told Techcrunch that “the iMessage protocol is strong”, though added that “Apple or a powerful institution (NSA is randomly chosen as an example) could tamper with it”. The researchers say they are planning to release a tool that will shield against potential iMessage snooping attacks and hope to work with Apple to strengthen the security of the service.

Apple had not responded to a request for comment at the time of publication.

with Slate and Reuters

This story Administrator ready to work first appeared on Nanjing Night Net.

Vulnerability: The iOS 7 lock screen. Photo: James W. ManningSecurity flaws have been uncovered in Apple’s new iOS 7 software, just a day after its release.

A thief who steals an iPhone or iPad running the new software would be able to exploit the flaw and disable the Find my iPhone feature, used by owners and police to track down stolen Apple devices, even if the thief does not have the password for the device.

In iOS 7, a new Control Centre feature houses all of the basic settings for the iPhone and it can be accessed from swiping up on any screen, including from the lock screen visible before you type in your password. Apple’s sassy personal digital assistant, Siri, is also available from the lock screen by default in iOS 7.

A user can use the Control Centre or instruct Siri to put the device into aeroplane mode, which cuts off all mobile data, reception, Wi-Fi and GPS connections, rendering the Find my iPhone feature useless.

Apple users who have upgraded to iOS 7 can protect themselves from the potential security vulnerability by turning off access to Siri and Control Centre from the lock screen under their device’s settings.

The company has not commented publicly on the security flaw and did not respond to requests for comment.

Forbes reported that Jose Rodriguez, of Spain’s Canary Islands, had uncovered another iOS 7 security vulnerability that again takes advantage of Control Centre access from the lock screen.

Under this exploit, users without the device’s password are able to bypass the lock screen in seconds to access photos, email, Twitter and other applications.

As Rodriguez demonstrates in a YouTube video, users can swipe up on the lock screen to access the centre and then open the alarm clock. Users can then hold down the device’s sleep button, which brings up the option to turn it off. But if a user taps cancel and then double-clicks the phone’s home button, they will be taken to the multi-tasking screen, which allows access to the camera and photos and the ability to share those photos from the device-owner’s accounts.

Essentially, anyone who picks up the phone would be able to hijack the iPhone or iPad owner’s email, Twitter, Facebook and Flickr accounts.

An Apple spokeswoman said the company was preparing a fix that it would deliver as a future update to iOS 7. “Apple takes user security very seriously,” she said.

Apple devices on to which the new iOS 7 software has been downloaded are vulnerable to both security flaws, as are the new iPhone 5s and 5c, which were released in Australia, the United States and other countries on Friday.

Meanwhile, security researchers have questioned Apple’s claims that its iMessage service is secured using strong encryption after uncovering what they say is a flaw that enables messages to be spied on.

In April, Apple’s iMessage service attracted attention after a document showed the US Drug Enforcement Agency was complaining internally about not being able to snoop on communications sent using the service. Apple has consistently said the messages are exchanged using “secure end-to-end encryption”, meaning it can’t hand them over to authorities. Even after the technology giant was linked to the US National Security Agency’s PRISM surveillance program in June, it put out a statement reiterating that iMessage conversations “are protected by end-to-end encryption so no one but the sender and receiver can see or read them. Apple cannot decrypt that data.”

However, it seems the service is not as secure as Apple would like to you to believe. Two researchers at security firm Quarkslab claim they have been studying the protocol used by iMessage and that “Apple can technically read your iMessages whenever they want”. The researchers, who are due to present their findings at the HITB Security Conference in Asia in October, have apparently found a way to circumvent the encryption, using a so-called “man-in-the-middle” attack, which usually involves a hacker covertly bypassing the encryption by using a fake security certificate.

The fact that this may be possible with iMessage is not evidence that Apple has been reading people’s messages, but it does mean the company’s encryption is vulnerable to being exploited by a sophisticated hacker group or spy agency. One of the Quarkslab researchers told Techcrunch that “the iMessage protocol is strong”, though added that “Apple or a powerful institution (NSA is randomly chosen as an example) could tamper with it”. The researchers say they are planning to release a tool that will shield against potential iMessage snooping attacks and hope to work with Apple to strengthen the security of the service.

Apple had not responded to a request for comment at the time of publication.

with Slate and Reuters

This story Administrator ready to work first appeared on Nanjing Night Net.